CLAIMS: 



1 . A network security system comprising: 

a first distributed software agent to collect a first stream of alerts from a first 
network security device having a first clock, each alert in the first stream representing an 
event detected by the first network security device and including a time of detection by 
the first network security device according to the first clock; 

a second distributed software agent to collect a second stream of alerts from a 
second network security device having a second clock, each alert in the second stream 
representing an event detected by the second network security device and including a 
time of detection by the second network security device according to the second clock; 
and 

a manager module in communication with the distributed software agents to 
receive the first and second stream of alerts, identify a common event represented by a 
first alert in the first stream from the first network security device and by a second alert in 
the second stream from the second network security device, and synchronize the first 
clock and the second clock using the common event. 

2. The network security system of claim 1 , wherein the manager module 
synchronizes the first clock and the second clock by determining a synchronization error 
using the time of detection of the common event in the first alert and the time of detection 
of the common event in the second alert, and correcting the synchronization error. 
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3. The network security system of claim 1 , wherein the manager module 
synchronizes the first clock and the second clock by selecting one of the first and second 
clocks as a reference clock, and adjusting the other clock to the reference clock. 

4. The network security system of claim 3, wherein selecting one of the first and 
second clocks comprises determining a relationship of the first and second clocks to a 
system-wide reference clock. 

5. The network security system of claim 1 , wherein the manager module 
synchronizes the first clock and the second clock by adjusting a time offset associated 
with the first clock that is stored by the manager module. 

6. The network security system of claim 1 , wherein the manager module identifies a 
common event by detecting a new Internet Protocol (EP) address in the first alert and the 
second alert. 

7. The network security system of claim 1, wherein the manager module identifies a 
common event by determining that the second alert is corroborative of the first alert. 

8. The network security system of claim 1, wherein the first network security device 
comprises an Intrusion Detection System (IDS). 
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9. A method performed by a network security system, the method comprising: 
receiving a first stream of alerts from a first network security device having a first 

clock, each alert in the first stream representing an event detected by the first network 
security device and including a time of detection by the first network security device 
according to the first clock; 

receiving a second stream of alerts from a second network security device having 
a second clock, each alert in the second stream representing an event detected by the 
second network security device and including a time of detection by the second network 
security device according to the second clock; 

identifying a common event represented by a first alert in the first stream from the 
first network security device and by a second alert in the second stream from the second 
network security device; and 

synchronizing the first clock and the second clock using the common event. 

10. The method of claim 9, wherein synchronizing the first clock and the second 
clock comprises determining a synchronization error using the time of detection of the 
common event in the first alert and the time of detection of the common event in the 
second alert, and correcting the synchronization error. 

1 1 . The method of claim 9, wherein synchronizing the first clock and the second 
clock comprises selecting one of the first and second clocks as a reference clock, and 
adjusting the other clock to the reference clock. 
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12. The method of claim 1 1 , wherein selecting one of the first and second clocks 
comprises determining a relationship of the first and second clocks to a system-wide 
reference clock. 



13. The method of claim 9, wherein synchronizing the first clock and the second 
clock comprises adjusting a time offset associated with the first clock. 

i 

14. The method of claim 9, wherein identifying a common event comprises detecting 
! a new IP address in the first alert and the second alert. 



15 The method of claim 9, wherein identifying a common event comprises 
determining that the second alert is corroborative of the first alert. 



16. A machine readable medium storing a set of instructions that, when executed by 
the machine, cause the machine to: 

receive a first stream of alerts from a first network security device having a first 
clock, each alert in the first stream representing an event detected by the first network 
security device and including a time of detection by the first network security device 
according to the first clock; 

receive a second stream of alerts from a second network security device having a 
second clock, each alert in the second stream representing an event detected by the 
second network security device and including a time of detection by the second network 
security device according to the second clock; 
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identify a common event represented by a first alert in the first stream from the 
first network security device and by a second alert in the second stream from the second 
network security device; and 

synchronize the first clock and the second clock using the common event. 

17. The machine readable medium of claim 16, wherein synchronizing the first clock 
and the second clock comprises determining a synchronization error using the time of 
detection of the common event in the first alert and the time of detection of the common 
event in the second alert, and correcting the synchronization error. 

18. The machine readable medium of claim 16, wherein synchronizing the first clock 
and the second clock comprises selecting one of the first and second clocks as a reference 
clock, and adjusting the other clock to the reference clock. 

19. The machine readable medium of claim 18, wherein selecting one of the first and 
second clocks comprises determining a relationship of the first and second clocks to a 
system-wide reference clock. 

20. The machine readable medium of claim 16, wherein synchronizing the first clock 
and the second clock comprises adjusting a time offset associated with the first clock. 

21. The machine readable medium of claim 16, wherein identifying a common event 
comprises detecting a new IP address in the first alert and the second alert. 
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22. The machine readable medium of claim 16, wherein identifying a common event 
comprises determining that the second alert is corroborative of the first alert. 

23. A network security system comprising: 

a plurality of distributed software agents to each collect alerts from a plurality of 
corresponding network security devices; and 

a manager module in communication with the distributed software agents to 
receive the alerts, identify a common event represented by alerts from a subset of the 
plurality of network security devices, and synchronize the subset of network security 
devices using the common event. 

24. The network security system of claim 23, wherein the manager module 
synchronizes the subset of network security devices by adjusting timestamps in each alert 
received from the subset of network security devices. 
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